Challenge Sets

A Challenge Set is a set of questions that can be answered by a user to prove his or her identity, instead of using a password. The Challenge Set is assigned to a Password Policy and is used as part of a Password Policy's method of authentication. You can use Challenge Sets as part of providing Forgotten Password self-service for your users. Requiring a user to answer Challenge Set questions before receiving forgotten password help provides an additional level of security. To use a Challenge Set, use the Manage Password Policies task to create a Password Policy and set up Forgotten Password.

When you create a Password Policy, you can enable Forgotten Password self-service so that users can get help without calling the help desk. To make self-service more secure, you can create a Challenge Set and specify that users must answer the Challenge Set questions before obtaining forgotten password help. You also specify what action takes place to help users after they answer the questions, such as displaying a Password Hint to the user. These self-service features are available to users through the Novell iManager self-service console. Your choices are explained in Forgotten Password Actions.

You define the structure of the Challenge Set questions, using the following choices:

Admin-Defined: The administrator can create questions that are presented to every user. Each user's answer, however, is unique.

User-Defined: The administrator can specify that one or more questions are created by the user. In this case, both the questions and the answers for each user will be unique.

Required: Questions in this list are always presented to users when they use the Forgotten Password self-service feature.

Random: Questions in this list are presented to the user as a complete set only once, when the user sets up Forgotten Password by answering the Challenge Set questions the first time. When the user needs to access the Forgotten Password, only a few of the questions are presented for the user to answer. The number of random questions presented is determined by the administrator.

A user's responses and user-defined questions are stored in Novell eDirectory by Novell Modular Authentication Services (NMAS).

Here's an example of the screen where you create a new Challenge Set. You can choose from some sample questions that are provided by default, or add your own.

Forgotten Password Actions

The following Forgotten Password Actions are provided in a Password Policy, if you enable Forgotten Password:

• Allow user to reset password on page: After answering the Challenge Set questions to prove his or her identity, the user is allowed to change to a new password. Because the user has authenticated through answering the challenge questions, the user is allowed to change the password without being required to provide the old password. To use this option, the administrator must require a Challenge Set, and the user must have previously set up Forgotten Password in the iManager self-service console by answering the Challenge Set questions.

• E-mail current password to user: After answering the Challenge Set questions to prove his or her identity, the user receives the current password in an e-mail. To use this option, the administrator must enable Universal Password for the policy and enable the option "Allow user to retrieve password" (both are found in Universal Password > Configuration Options), and must set up e-mail notification as described in Configuring E-Mail Notification. Also, the user must have previously set up Forgotten Password in the iManager self-service console by answering the Challenge Set questions.

• E-mail hint to user: The user receives the Password Hint in an e-mail. To use this option, the administrator must set up e-mail notification as described in Configuring E-Mail Notification, and the user must have previously set up Forgotten Password in the iManager self-service console by providing a Password Hint.

• Show hint on page: The user is shown the Password Hint in the iManager self-service console. To use this option, the user must have previously set up Forgotten Password in the iManager self-service console by providing a Password Hint.

Password Hints

If you specify a Forgotten Password Action that requires Password Hint, the user can enter a hint that is a reminder of the password. The Password Hint is checked to make sure that it does not contain the users's password.

The Password Hint attribute (nsimHint) is publicly readable, to allow unauthenticated users who have forgotten a password to access their own hint. Password Hints can be a big help in reducing help desk calls.

For security, Password Hints are checked to make sure they do not contain the user's actual password. However, a user could still create a Password Hint that gives too much information about the password.

To increase security when using Password Hints,

• Allow access to the nsimHint attribute only on the LDAP server used for Password Self-Service.
• Require that users answer Challenge Questions before receiving the Password Hint.
• Remind users to create Password Hints that only they would understand. The Password Change Message in the Password Policy is one way to do that. See Adding Your Own Password Change Message to Password Policies.

If you choose not to use Password Hint at all, make sure you don't use it in any of the Password Policies. To prevent Password Hints from being set, you can go a step further and remove the Hint Setup gadget completely, as described in Disabling Password Hint by Removing the Hint Gadget.

Prompting End Users to Set Up Forgotten Password

For some Forgotten Password actions, the end user must do some setup before he or she can use the Forgotten Password self-service. For example, if the Password Policy specifies that a Challenge Set is used to allow a user to prove identity, and if the forgotten password action is to e-mail a Password Hint to the user, then the user must first answer Challenge Set questions and create a Password Hint before being able to use Forgotten Password Self-Service.

Users can initiate setting up these features in the iManager self-service console, or you can require that users set them up using post-authentication services (pages displayed when users log in to the iManager self-service console).

To prompt users to set up these features at login time, select the option in the Password Policies interface at the bottom of the Forgotten Password page, named "Force users to configure Challenge Questions and/or Hint upon authentication." This is selected by default when you create a policy.

To let users set up Forgotten Password at a time of their choice, you need to give them the URL for the iManager self-service console, such as https://www.my_iManager_server.com/nps.

End User Setup for Forgotten Password Self-Service

Clicking the "Forgot your password?" link when logging in to the iManager self-service console (such as https://www.servername.com/nps) does not work for the user unless the following conditions are met:

• The administrator has set up a Password Policy with Forgotten Password enabled.
• The user has set up Challenge Questions or Password Hint, if either of them are specified in the Forgotten Password setting.

There are two ways the user's part of the configuration can be accomplished:

• User Setup for Forgotten Password, Post Authentication
• User Setup for Forgotten Password in the iManager Self-Service Console

User Setup for Forgotten Password, Post Authentication

The administrator can require the user to set up Forgotten password features after a successful login by checking the Forgotten Password option to force the user to configure Challenge Questions and/or Hint upon authentication. If this option is selected, and a user does not have questions or a hint set up, then Forgotten Password configuration gadgets are displayed to the user the next time he or she logs in through the iManager self-service console (such as https://www.servername.com/nps). This is called post-authentication setup.

The following screen shows Challenge Set setup, post-authentication.

The following screen shows Password Hint setup, post-authentication.

User Setup for Forgotten Password in the iManager Self-Service Console

When users log in through the portal, they enter the iManager self-service console, which gives the user access to the gadgets for setting up or changing Challenge Sets and Password Hints for Forgotten Password Self-Service. This is the same place where the user can initiate a password change. The names of the gadgets the user can access here are

• Hint Setup
• Answer Challenge Questions
• Change Password (Universal)

The user can initiate changing these at any time. If a hint or Challenge Set is not required for the user's Password Policy, then the user cannot set them up. The page will display a message indicating that the options are not accessible.

The following figure shows the Hint Setup page:

The following figure shows the Answer Challenge Questions page:

The first questions listed in this example are administrator-defined, and the others are user-defined. The user answers the administrator questions, and creates both a question and answer for the user-defined questions, as in the following example:

The following figure shows the Change Password (Universal) page:

Requiring Existing Passwords to Comply

If an administrator creates or changes a Password Policy, he or she can require users to change existing passwords that don't comply, the next time they log in through the portal.

This is done by setting an option in the Password Policy, in the Universal Password tab under Configuration Options. The option is called "Verify whether existing passwords comply with the password policy (verification occurs on login)." By default, this option is turned off when you create a new Password Policy. The following figure shows the page where you set this option:

If this option is set, the next time users log in through the portal, their passwords will be checked for compliance with the Password Policy. If the password does not comply, a page like the following is displayed, and the user is not allowed to log in without changing the password.

What End Users See When They Forget Passwords

This section explains the user's experience when using Forgotten Password Self-Service.

After you have installed the iManager plug-ins that shipped with Identity Manager, the Forgotten Password link shows up in the iManager self-service console (such as https://www.servername.com/nps), as shown in the following figure.

If a user clicks this link, the following page is displayed, asking for the username:

After the username is entered, the Forgotten Password settings determine what the user sees.

For example, if the administrator specified in the Password Policy that a Challenge Set is used, then a page like the following is displayed, and the user must answer Challenge Set questions to prove his or her identity.

If the administrator specified that the Forgotten Password action is "Show hint on page," a page like the following is displayed:

If the administrator specified that the Forgotten Password action is "E-mail current password to user," or "E-mail hint to user," a message is displayed on the page saying that the password or hint has been e-mailed. The user receives an e-mail like the following:

Turning Off the Forgotten Password Link

If you don't want the "Forgot your password?" link to appear in the portal, you can turn it off using the following steps:

1. In iManager, click the Configure icon to enter the Administration gadget.

2. Click Portal Platform Configuration > Gadgets.

3. In the list of Gadgets, select the Forgot Password gadget.

4. Click the Edit button, then click Configuration. Click the All Settings button.

5. Add a keypair in the gadget settings, as shown in the figure.

   ShowForgotLink=false

   If this keypair does not exist at all in the gadget settings, the default behavior is true.

   
   

6. Click Continue, and click Save on the next page to save the changes.

7. Restart the Web server so the change will take effect.

Disabling Password Hint by Removing the Hint Gadget

Password Hint is one method of helping users remember a password as part of Forgotten Password Self-Service. In the Password Policy, the Forgotten Password actions that use Password Hint are named "E-mail hint to user" or "Show hint on page."

In order for Password Hint to be useful to a user who has forgotten a password, unauthenticated users must have public access to the Password Hint attribute (nsimHint). Although the Password Hint is checked to make sure the user has not included the actual password when creating the hint, you might still consider this public access to be a security issue.

If you don't want to use Password Hints, choose a different option for the Forgotten Password action in the Password Policy.

In addition, you can remove the Hint Setup gadget completely, if desired.

After installing the Identity Manager plug-ins for iManager, use the Configure view to remove the Hint Setup gadget.

1. In iManager, click the Configure icon .

2. Click Portal Platform Configuration > Gadgets.

3. In the list of gadgets, select Hint Setup.

4. Click Delete.

After deleting the gadget, Hint Setup is no longer available to the user. The post-authentication services query for the existing gadgets before adding them to the delegation list. Regardless of what the policy states for post-authentication services, if the gadget does not exist, the service is not presented to the user by the post-authentication services or in the iManager self-service console.

After you delete the Hint gadget, make sure you don't select E-mail Hint or Display Hint as the forgotten password action in the Password Policy.